Many people are concerned about the theft of sensitive information, and rightfully so. According to the 2016 Identity Fraud study by Javelin Strategy and Research, identity theft cost U.S. consumers $15 billion in 2015. Businesses also fall victim to identity theft, to the tune of $221 billion worldwide each year.
But a more insidious data security problem is gaining attention — due, in part, to the recent U.S. election. Malicious actors are not just stealing data but manipulating it, whether for political, competitive, or financial gain, to disrupt organizational processes, or some other nefarious purpose. Security experts are warning that data manipulation is a rapidly growing threat that can cause long-term reputational damage to organizations that fall victim.
When you think about it, data manipulation is more alarming than data theft, and could have a devastating impact on any entity that relies on public trust. Interfering with election results is obviously of great concern; the Russian group allegedly responsible for the security breaches related to the U.S. election is believed to be turning its attention to Germany’s upcoming vote. Governments also hold vast stores of information, and public trust in national institutions would be undermined if the integrity of that information were called into doubt.
Data manipulation can also wreak havoc on a smaller scale. Imagine the brand damage that would result if a bank could not vouch for account balances, or a manufacturing plant found that its quality assurance data had been tampered with. The healthcare sector has long grappled with data integrity, given that incorrect patient information could have life-or-death consequences. Generally, however, those concerns focus on internal errors as opposed to deliberate manipulation by a malicious actor.
If malicious actors were to manipulate identity data and access credentials, the results could be especially dire. The attackers could not only gain access to sensitive systems and data, but prevent authorized users from accessing those resources. They could expose company secrets or spread misinformation. They could manipulate physical security information to enter facilities and restricted areas. The list goes on and on.
Given that identity and access management (IAM) systems are the “front door” to digital resources and data, the data manipulation threat requires a more fine-grained approach to identity governance and access controls than organizations typically apply today. It’s not enough to simply implement two-factor authentication or biometrics; biometric data is reduced to a hash and stored, and can be manipulated like any other data. Organizations must consider encryption and other techniques to protect identity data without hampering user productivity. They must also monitor systems and networks for unusual user behavior that could point to compromised credentials. User behavior monitoring will be the subject of our next post.
According to Forrester, 88 percent of the market value of the S&P 500 comes from intangibles such as reputation and goodwill. A recent study by the International Association of Privacy Professionals’ (IAPP) Westin Research Center found that reputational damage is the number one data security concern of 83 percent of publicly traded companies. Given the enormous reputational risk posed by data manipulation, organizations should be taking steps to protect against this growing threat.